{"id":21392161,"url":"https://github.com/sysdiglabs/kube-policy-advisor","last_synced_at":"2025-07-13T18:31:00.199Z","repository":{"id":44149062,"uuid":"408749293","full_name":"sysdiglabs/kube-policy-advisor","owner":"sysdiglabs","description":null,"archived":false,"fork":false,"pushed_at":"2024-05-07T13:13:45.000Z","size":30102,"stargazers_count":20,"open_issues_count":4,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-06-21T02:14:45.806Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-21T08:52:08.000Z","updated_at":"2024-06-13T05:13:54.000Z","dependencies_parsed_at":"2024-06-21T01:25:25.962Z","dependency_job_id":null,"html_url":"https://github.com/sysdiglabs/kube-policy-advisor","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-policy-advisor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-policy-advisor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-policy-advisor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-policy-advisor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/kube-policy-advisor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908242,"owners_count":17543472,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T13:39:28.074Z","updated_at":"2024-11-22T13:39:28.829Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kube Policy Advisor\n\nkube-policy-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) or OPA Policy from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).\n\nIt has 2 subcommands, `kube-policy-advisor inspect` and `kube-policy-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP or an OPA Policy based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP or OPA Policy based on the file.\n\n## Installation as a Krew Plugin\n\nFollow the [instructions](https://github.com/kubernetes-sigs/krew#installation) to install `krew`. Then run the following command:\n\n```\nkubectl krew install advise-policy\n```\n\nThe plugin will be available as `kubectl advise-policy`.\n\n## Build and Run locally\n1. ```make build```\n2. ```./kube-policy-advisor inspect``` to generate OPA Policy based on running cluster configuration. OPA is the default output.\n   - 2.1 ```./kube-policy-advisor inspect --namespace=\u003cns\u003e``` to print report or OPA Policy within a given namespace (default to all)\n   - 2.2 ```./kube-policy-advisor inspect --deny-by-default``` to generate an OPA Policy, where OPA Default Rule is Deny ALL\n   - 2.3 ```./kube-policy-advisor inspect --policy psp``` to generate PSP based on running cluster configuration\n   - 2.4 ```./kube-policy-advisor inspect --policy psp --report``` to print the details reports (why this PSP is recommended for the cluster)\n   - 2.5 ```./kube-policy-advisor inspect --policy psp --grant``` to print PSPs, roles and rolebindings for service accounts (refer to [psp-grant.yaml](./test-yaml/psp-grant.yaml))\n4. ```./kube-policy-advisor convert --podFile \u003cpath\u003e --pspFile \u003cpath\u003e``` to generate a OPA Policy from a single .yaml file.\n   - 4.1 ```./kube-policy-advisor convert --podFile \u003cpath\u003e --policy \u003cpath\u003e --deny-by-default``` to generate an OPA Policy from a single .yaml file, where OPA Default Rule is Deny ALL.\n   - 4.2 ```./kube-policy-advisor convert --policy psp --podFile \u003cpath\u003e --policyFile \u003cpath\u003e ``` to generate PSP from a single .yaml file.\n    \n## Build and Run as Container\n1. ```docker build -t \u003cImage Name\u003e -f container/Dockerfile .```\n2. ```docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws \u003cImage Name\u003e``` (the `.aws` folder mount is optional and totally depends on your clould provider)\n\n## Use Cases\n1. Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources\n2. Apply Pod Security Policy to the target cluster\n3. Apply OPA Policy to the target cluster\n3. flag `--namespace=\u003cnamespace\u003e` is introduced to debug and narrow down the security context per namespace\n\n## Attributes Aggregated for Pod Security Policy\n- allowPrivilegeEscalation\n- allowedCapabilities\n- allowedHostPaths\n  - readOnly\n- hostIPC\n- hostNetwork\n- hostPID\n- privileged\n- readOnlyRootFilesystem\n- runAsUser\n- runAsGroup\n- Volume\n- hostPorts\n- allowedUnsafeSysctls\n\n## Limitations\nSome attributes(e.g. capabilities) required gathering runtime information in order to provide the followings:\n- Least privilege (capabilities captured from runtime)\n\n## High-level todo list\n\n- [x] Basic functionalities;\n- [ ] Create PSP's for common charts\n- [x] Kubectl plugin\n- [x] Generate OPA policies\n\n## Sample Pod Security Policy\nCommand: `./kube-policy-advisor inspect --namespace=psp-test`\n```\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n  creationTimestamp: null\n  name: pod-security-policy-20181130114734\nspec:\n  allowedCapabilities:\n  - SYS_ADMIN\n  - NET_ADMIN\n  allowedHostPaths:\n  - pathPrefix: /bin\n  - pathPrefix: /tmp\n  - pathPrefix: /usr/sbin\n  - pathPrefix: /usr/bin\n  fsGroup:\n    rule: RunAsAny\n  hostIPC: false\n  hostNetwork: false\n  hostPID: false\n  privileged: true\n  runAsUser:\n    rule: RunAsAny\n  seLinux:\n    rule: RunAsAny\n  supplementalGroups:\n    rule: RunAsAny\n  volumes:\n  - hostPath\n  - configMap\n  - secret\n  ```\n\n## Sample Report\nCommand: `./kube-policy-advisor inspect --namespace=psp-test --report | jq .podSecuritySpecs`\n```\n{\n  \"hostIPC\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostNetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-job\",\n        \"kind\": \"Job\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"hostPath\"\n      ],\n      \"mountedHostPath\": [\n        \"/usr/bin\"\n      ]\n    }\n  ],\n  \"hostNetwork\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostNetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-pod\",\n        \"kind\": \"Pod\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostNetwork\": true,\n      \"volumeTypes\": [\n        \"hostPath\",\n        \"secret\"\n      ],\n      \"mountedHostPath\": [\n        \"/usr/bin\"\n      ]\n    }\n  ],\n  \"hostPID\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-deploy\",\n        \"kind\": \"Deployment\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"volumeTypes\": [\n        \"hostPath\"\n      ],\n      \"mountedHostPath\": [\n        \"/tmp\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostMetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    }\n  ]\n}\n```\n\n## Commercial\nGenerating PSPs based on runtime activity, simulating PSPs and managing different PSPs across Kubernetes namespaces can simplify the life of every Kubernetes operator.\nCheck out how Sysdig Secure can help - https://sysdig.com/blog/psp-in-production/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-policy-advisor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fkube-policy-advisor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-policy-advisor/lists"}